Upload
nguyendat
View
216
Download
0
Embed Size (px)
Citation preview
www.network-box.com
Payment Card
Industry
Data Security
Standard
(PCI-DSS)
Overview & Compliance
Jan van Leersum Network Box Singapore
Managing Director
Copyright © Network Box Corporation Limited 2018. No part of this document or any of its contents may be reproduced, copied, modified or adapted, without the prior written consent of Network Box Corporation Limited.
www.network-box.com
Retail Cyber-Risk
Landscape
Overview
www.network-box.com
it’s easy to forget
the world is also
plugged into YOU
When you
plug into the
world,
www.network-box.com
The Internet has
revolutionized how
the retail industry
does business, and
has become a ‘must’
for all
Yet, businesses in the
retail industry are still
reluctant to protect
themselves effectively.
www.network-box.com
1
5 About
Data breach
incidences are
from the
RETAIL industry
https://betanews.com/2017/06/20/retail-industry-data-breaches/ Source:
www.network-box.com
accounts were hacked from electronic toy
manufacturer, VTech. Data stolen included
photos and personal details of children.
11.3 million
http://www.cnbc.com/2015/12/02/vtech-hack-data-of-64m-kids-exposed.html Source:
www.network-box.com
110 million personal data, and credit card details
stolen from US retail giant, Target.
http://www.reuters.com/article/2014/02/06/target-breach-vendor-idUSL2N0LB1TM20140206 Source:
www.network-box.com
233 million
usernames, passwords,
phone numbers, and physical addresses were
compromised from eBay.
http://www.forbes.com/sites/jaymcgregor/2014/07/28/the-top-5-most-brutal-cyber-attacks-of-2014-so-far/ Source:
www.network-box.com
The average cost of each data breach is an estimated:
US$ 3.62 million
https://securityintelligence.com/know-the-odds-the-cost-of-a-data-breach-in-2017/ Source:
www.network-box.com
of consumers say they will cease shopping at a retailer that was
breached, even if the problem was addressed and remedied.
19%
https://home.kpmg.com/us/en/home/media/press-releases/2016/08/cyber-attacks-could-cost-retailers-one-fifth-of-their-shoppers-kpmg-study.html Source:
www.network-box.com
In the Retail Industry, security vulnerabilities can appear in any of the following
card-processing environments:
To ensure all these environments have a set
standard of security protocols in place, is why
PCI-DSS was created.
Point-of-sale devices Mobile devices and PCs Servers E-commerce sites
www.network-box.com
PCI-DSS Overview and
Compliance
www.network-box.com
In 2004, the PCI-SSC, made up of
five major credit card companies:
American Express, Discover, JCB,
Mastercard, and Visa; established a
set of security standards applicable
to all members, merchants and
service providers, that store, process,
or transmit, cardholder data.
Payment Card
Industry
Security
Standards
Council
(PCI-SSC) This security standard became
the Payment Card Industry Data
Security Standard: PCI-DSS.
www.network-box.com
1. Build and Maintain a Secure
Network and System
2. Protect Cardholder Data
3. Maintain a Vulnerability
Management Program
4. Implement Strong Access
Control Measures
5. Regularly Monitor and Test
Networks
6. Maintain an Information
Security Policy
The latest standard:
PCI-DSS (v3.2),
was released in
April 2016.
https://www.pcisecuritystandards.org/ Source:
This compromises of:
12 Requirements with
6 Control Objectives
www.network-box.com
Build and
Maintain a
Secure
Network and
System
Requirement 1:
Install and maintain a firewall,
configured to protect cardholder data
The Firewall prevents unauthorized
users from accessing your network and
servers, which may contain cardholder
data. To ensure that you are protected:
Restrict all traffic from untrusted networks
Ensure all traffic passes through the firewall
Except for necessary protocols, deny all other traffic from the cardholder data environment
Install firewall software, or equivalent, on all web-facing devices
www.network-box.com
Build and
Maintain a
Secure
Network and
System
Requirement 2:
Do not use vendor-supplied defaults
for system passwords and other
security parameters
By having an ‘easy’ password,
hackers and cyber criminals can
easily gain access to your network.
The Top 10 common passwords:
1. 123456
2. Password
3. 12345678
4. qwerty
5. 12345
6. 123456789
7. letmein
8. 1234567
9. football
10. iloveyou
http://fortune.com/2017/12/19/the-25-most-used-hackable-passwords-2017-star-wars-freedom/ Source:
www.network-box.com
Protect
Cardholder
Data
Requirement 3:
Protect stored cardholder data
Cardholder data should not be stored
unless absolutely necessary. If you do,
ensure the following precautions:
Limit the amount of data stored, and retention time, to what is actually required
Do not store sensitive authentication data after authorization, such as: cardholder’s
name, Primary Account Number (PAN), expiration date, service code, etc
Mask PAN when displayed
Ensure all security policies for protecting stored cardholder data are documented and implemented
www.network-box.com
Protect
Cardholder
Data
Requirement 4:
Encrypt transmission of cardholder
data across open, public networks
Using exploits and
vulnerabilities, hackers and
cyber criminals can intercept
transmission of cardholder
data, over the open/public
Internet. Using cryptography
and security protocols, such
as SSL/TLS encryption
technology, can prevent
hackers from successfully
stealing such data.
www.network-box.com
Maintain a
Vulnerability
Management
Program
Requirement 5:
Protect all systems against malware,
and regularly update anti-virus
software and programs
Malware (malicious software)
includes: computer viruses, worms,
trojans and spyware. These can be
used to steal, encrypt, or delete
cardholder data.
Today, there are over 1.5 million zero-day malware, on the Internet.
Thus, it is essential to stay up-to-date
with the latest anti-malware updates
and patches.
http://response.network-box.com/protection-malware Source:
www.network-box.com
Maintain a
Vulnerability
Management
Program
Requirement 6:
Develop and maintain secure systems
and applications
By exploiting a security vulnerability in
your network, hackers and cyber
criminals can gain access to your
network, and steal cardholder data.
These vulnerabilities can be mitigated
by regularly checking and installing
the latest security patches.
If the process is fully automated, using
PUSH technology, as the patches
become available, the risk to your
network will be greatly reduced.
www.network-box.com
Implement
Strong
Access
Control
Measures
Requirement 7:
Restrict access to cardholder data;
genuine ‘need-to-know’
Access control allows you to
permit, or deny, staff access to
cardholder data. By restricting
the access based on a need-to-
know and job responsibilities basis,
and granting the least amount of
data and privileges needed to
preform a job, cardholder data
can only be accessed by
authorized personnel.
www.network-box.com
Implement
Strong
Access
Control
Measures
Requirement 8:
Identify and authenticate access to
system components
It is best practice to assign unique
User IDs for all authorized
personnel, who will have access
to critical data and systems. That
way, all actions performed on the
system components, can be
traced back to a User ID.
In addition, multi-factor
authentication is
required, for login.
www.network-box.com
Implement
Strong
Access
Control
Measures
Requirement 9:
Restrict physical access to
cardholder data
With the rise in low-level social
engineering methods, used by
hackers and cyber criminals;
part-time staff, contractors,
consultants, and other onsite
visitors, should be given very
restricted physical access to
cardholder data.
Use of temporary access cards,
and denial of entry to restricted
areas, is required.
www.network-box.com
Regularly
Monitor and
Test Networks
Requirement 10:
Track and monitor all access to network
resources and cardholder data
If something does go wrong; logs, and
user activity history, are essential for
digital forensics. Implementing the
following will help with this:
Use audit trails, linking all access to system components, to each individual user
Use audit trail entries for all system
components for each event
Secure audit trails so they cannot be altered
Review logs, and security events, to identify anomalies or suspicious activity
www.network-box.com
Regularly
Monitor and
Test Networks
Requirement 11:
Regularly test security systems and processes
New vulnerabilities are constantly
being exploited by hackers and cyber
criminals. Thus, your systems should be
tested frequently to ensure security is
maintained over time:
Implement processes to test for the presence of wireless access points
Run internal and external network vulnerability scans, after any significant changes to your network
Use network intrusion detection and/or intrusion prevention techniques, to detect and/or prevent intrusions into the network
www.network-box.com
Maintain an
Information
Security Policy
Requirement 12:
Maintain a policy that addresses
information security for all personnel
A clear and precise security policy is
essential for all staff to be aware of
the sensitivity of cardholder data, and
their responsibility for protecting it.
Establish, publish, maintain, and disseminate a security policy
Review the security policy
Implement a risk assessment process that is performed annually
Ensure that the security policy and procedures clearly define responsibilities for all personnel
www.network-box.com https://www.scmagazine.com/the-latest-visa-pci-compliance-stats-are-in/article/556888/ Source:
57% 35%
of businesses with one to
six million transactions are still
not PCI-DSS compliant
of businesses with more than
six million transactions are still
not PCI-DSS compliant
PCI-DSS Statistics
US $25,000
is the fine for businesses that
are not PCI-DSS compliant
www.network-box.com
Seek
professional
help for your
PCI-DSS
Compliance
Staying PCI-DSS compliant, can take up
valuable time and resources. By outsourcing
your cyber security to a Managed Security
Service Provider (MSSP), they can help gain
and maintain PCI-DSS compliance.
In addition to PCI-DSS compliance, the
benefits of using as MSSP includes:
Safely/securely connecting multiple stores, branches, warehouses, remote sites
Reduce operational costs by centralizing security policy management
Reducing admin/operational overhead
Protecting sensitive/confidential data and ensuring compliance with PCI standards
Growing your network without sacrificing centralized control
www.network-box.com
Award-Winning Technology FASTEST, Most Extensive, Cost Effective and Assured Protection
In 2017, Network Box was PUSHing an average
of 30,000 updates a day.
PUSH Technology proactively pushes
out and installs updates in an average
time of less than 45 seconds.
Z-Scan focuses on developing and releasing
updates to protect against emerging zero-day
malware with a best response time of 3
seconds from a threat being detected.
www.network-box.com
CLOUD
Malware
Writer Command and
Control System
Zero Day
Malware
Z-Scan’s
250,000+ ‘in-the-cloud’
malware
traps
BOTNET
Malware Writer releases the malware
to the Command and Control System
The malware is
distributed to
the Botnet and
released to the
cloud
The malware is
caught in the Z-Scan
malware trap
Z-Scan
Malware Detection
www.network-box.com
Z-Scan
Outbreak System
Z-Scan’s
‘in-the-cloud’
malware
traps
Network Box Security Response
‘Outbreak System’ | M-Scan Lab
The Zero Day Malware is sent to
Network Box Security Response, as well
as the Network Box M-Scan Lab
While the M-Scan
Lab is doing analysis,
Network Box Security
Response utilizes the
Z-Scan Outbreak
system to protect
Network Box clients
around the world
Z-Scan
Identification and Signature Creation
www.network-box.com
Z-Scan
Outbreak System
Z-Scan
USA Region
Z-Scan
Europe Region
Z-Scan
Asia Region
The whole process takes
3 seconds
End user’s Network Box
receives a potential threat
Network Box
User
Signatures are released to the Security Operations Centers (SOCs)
Z-Scan
immediately
replies with a
confidence level
The device
sends the
object hash
to the Z-Scan
cloud
Z-Scan
Signature Release and Application
www.network-box.com
PCI-DSS (v3.1)
and (v3.2)
Compliant
While Network Box does not directly store
or process credit card information, a large
number of our customers do, which brings
them under the PCI Security Standard.
Network Box, as service provider, can
help you with gaining and maintaining
PCI-DSS compliance.
www.network-box.com
Other Security
Threats Top 5 cyber risks affecting
most businesses and
organizations today
www.network-box.com
Internet of Things (IoTs) The vulnerability of everything
Competitors & government agencies can listen to your VoIP (Voice over Internet Protocol) telecons.
1 million new devices connect to the Internet every 3 hours.
Cameras used by most offices, industrial plants, hospitals, prisons, banks & the military can all be hacked.
All scanned information on hard discs of MFCs (Multi-Function Centers) can be stolen.
https://blogs.cisco.com/news/cisco-connections-counter/
http://www.businessinsider.com/expert-hackers-can-take-over-security-cameras-to-spy-on-you-2013-6
http://www.cbsnews.com/news/digital-photocopiers-loaded-with-secrets/
http://nakedsecurity.sophos.com/2012/01/25/hacking-videoconferencing/
Source:
Without proper protection, these
Internet-connected devices are
all vulnerable to cyber attacks
and open to hackers.
5
www.network-box.com
DDoS Distributed Denial of Service
https://nakedsecurity.sophos.com/2016/03/02/ddos-attacks-are-soaring-says-new-report/
http://thehackernews.com/2016/01/biggest-ddos-attack.html
http://www.bbc.com/news/technology-37728015
Source:
Hacker group New World
Hacking, launched probably one of the largest DDoS attack in history, reaching 602 Gbps.
DDoS attacks are up 149% compared to the same period the previously.
Leveraging IoTs, an attack by the Mirai BOTNET, disrupted a large number of famous websites:
The New York Times, Netflix, Twitter,
Google, VISA, CNN, Wall Street Journal,
and PayPal.
602 Gbps
4
www.network-box.com Source: http://www.telegraph.co.uk/news/2017/05/13/nhs-cyber-attack-everything-need-know-biggest-ransomware-offensive/
http://cybersecurityventures.com/ransomware-damage-report-2017-5-billion/
Ransomware Your computer files could be held for ransom
Ransomware is on the rise and many
businesses and organizations have
had to pay huge sums to free their files.
The global ransomware damage
cost in 2017 is estimated to be in excess of US$ 5 billion.
More than 300,000 computer systems in over 150 countries were affected by the recent WannaCry ransomware.
3
www.network-box.com Source: http://securitywatch.pcmag.com/malware/319537-reusing-passwords-across-social-media-sites-don-t-do-that
http://money.cnn.com/2013/04/08/technology/security/shodan/
http://www.pcworld.com/article/182180/top_5_social_engineering_exploit_techniques.html
Internal Staff They can be your biggest security risk
of users have the same password over
multiple social media sites. By stealing and
using passwords obtained from these sites,
hackers could gain access to your network.
Your network could be in danger if you
are using default passwords. By using
the user name: admin, and password:
12345678, hackers can easily infiltrate
most networks and smart devices.
Social Engineering and other low tech
methods can also be used to obtain your
personal and confidential information, as
well as access to your network
2
www.network-box.com
Procrastination Don’t wait to be a victim 1
If you do not have proper cyber
security in place you could be
vulnerable right now:
http://response.network-box.com/internet-statistics Source:
Hackers are probing your network every 2.3 seconds
A new virus is released every 12 minutes
66.5% of your email is Spam, Social Engineering, or Malware
www.network-box.com
Who do
you think
is going
to win?
Businesses and organizations operate at the speed of red tape,
while hackers operate at the speed of the Internet.
The Bottom Line…
www.network-box.com
www.network-box.com
You cannot
escape the
responsibility of
tomorrow
by evading it
today.
― Abraham Lincoln
www.network-box.com
Thank
You
Copyright © Network Box Corporation Limited 2018. No part of this document or any of its contents may be reproduced, copied, modified or adapted, without the prior written consent of Network Box Corporation Limited.
Jan van Leersum Network Box Singapore Managing Director